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Abstract 

Reduction theorems allow one to deduce properties of a concurrent sys- 
tem specification from properties of a simpler, coarser-grained version called 
the reduced specification. We present reduction theorems based upon a more 
precise relation between the original and reduced specifications than ear- 
lier ones, permitting the use of reduction to reason about a larger class of 
properties. In particular, we present reduction theorems that handle general 
liveness properties. 
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1 Introduction 



We reason about a high-level specification of a system, with a large grain of atom- 
icity, and hope thereby to deduce properties of a finer-grained implementation. 
For example, the single atomic action 

x, y := fix, y), g(x, y) 

of a high-level algorithm might be implemented by the sequence of actions 

P(sem); t : = x; x : = f(x,y); y : = g(t,y); V(sem) (1) 

where P and V are the usual operations on a binary semaphore sem, and t is a 
new variable. This process is usually justified by asserting that the two specifica- 
tion are, in some suitable sense, "equivalent". A reduction theorem is a general 
rule for deriving an "equivalent" higher-level specification S R from a lower-level 
one S. We call S R the reduced version of S. For example, S might be a multipro- 
cess program containing critical sections, and S R might be obtained from S by 
replacing each critical section with a single atomic statement. 

The first reduction theorem was proposed by Lipton [10]. Several others fol- 
lowed [3, 5, 4, 6, 9] . In these theorems, executions of the reduced specification and 
of the original one are completely separate, sharing only certain properties. In the 
reduction theorems we present here, the original and reduced specifications "run 
in parallel", their executions connected by a coupling invariant [7]. Our theorems 
thereby provide a more precise (and hence stronger) statement of the relation be- 
tween the original and the reduced specifications. This enables certain hypotheses 
to be stated as assumptions about a given execution, rather than in the stronger 
form of assumptions about all executions. In particular, we relate liveness prop- 
erties of executions of the two specifications, obtaining what we believe to be the 
first published general reduction theorems that handle liveness. The only previous 
theorems we know that concern liveness are Back's [3] results for total correct- 
ness of sequential programs and a theorem in [4] showing that certain progress 
properties of a component are preserved under fair parallel composition with an 
environment. 

Our theorems are stated in TLA (the Temporal Logic of Actions) [8], but they 
should be adaptable to other formalisms with a trace-based semantics. Space does 
not permit us to include examples; they will appear elsewhere. 
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2 The Relation Between S and S 



We begin by examining the relation between the original specification S and the 
reduced version S R . We want to infer properties of S by proving properties of S R . 
For this, S and S R needn't be equivalent; it's necessary only that S implement 
S R — for some suitable notion of implementation. 

Suppose S represents a multiprocess program with shared variables x and y 
that are accessed only in critical sections, and the reduced version S R is obtained 
by replacing each critical section with a single atomic statement — for example, 
replacing (1) with 



One sense in which S implements S R is that, if we ignore the times when 
a process is in a critical section, S assigns the same sequences of values to all 
variables that S R does. This is the notion of implementation used by Doeppner 
in his reduction theorem [6]. While satisfactory for many purposes, this notion of 
implementation is rather weak. It says nothing about what is true while a process 
is in its critical section, which can be a problem because assertional reasoning 
requires proving that an invariant holds at all times. 

Let v be the tuple of all variables of S, including x and y. Our stronger notion 
of implementation is that there exists a tuple of "virtual variables" 'v such that, 
as S changes the real variables v, the virtual variables IT change according to the 
specification S R obtained from S R by replacing each real variable by its virtual 
counterpart. The relation between the real and virtual variables is expressed by a 
predicate / relating v and^v. (Such a predicate is known as a "coupling invariant" 
[7].) This generalizes Doeppner's notion of implementation if / implies v = 'v 
when no process is in a critical section. For example, during execution of the 
critical section (1), / might imply: 



All the steps of the critical section leave the virtual variables unchanged except 
for the assignment to t, which performs the "virtual assignment" 



t, x, y := x, f(x, y), g(x, y) 



t, x, y = 



t, x, y 

t, fix, y), g(x, y) 

t, x, git, y) 

t, x, y 



before executing t := ... 
just after executing ?:=... 
just after executing x := 
after executing y := ... 



t,x,y : = x, f(x,y), g(x,y) 
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Expressed in temporal logic, this implementation relation is 

S ^ 3v : ni aS* (2) 

where 3 is existential quantification over flexible 1 variables. 2 This is approxi- 
mately the conclusion of our reduction theorems. 

We would like to prove that S R satisfies (implies) a property n and deduce 
that S satisfies n. By (2), all we can infer from S R =>• n is S => 3 v~: □/ A EL 
How useful this is depends upon the nature of / and n. Space precludes a discus- 
sion of how our reduction theorem can be applied. We just mention one important 
case. Suppose / implies 1? = z for every variable occurring in FL In this case, 
3D~ : □/ A n implies n, so we infer S =>• n from S R =>■ n. It is this result that 
justifies the well-known rule for reasoning about multiprocess programs that al- 
lows grouping a sequence of operations into a single atomic action if they include 
only a single access to a shared variable [11]. 



3 An Intuitive View of Reduction 

We consider the situation in which one operation M is reduced to a single atomic 
action M R — for example, one critical section is replaced by an atomic statement. 
Reduction of multiple operations can be performed by applying the theorem mul- 
tiple times to reduce one operation at a time. 

A single execution of the operation M consists of a sequence of M steps. 
These can be interleaved with other system steps, which we call E steps, as in: 

M E M E E M M ... 
• • • S 4 1 — > S 4 2 — > S 43 > S 44 > S 45 > S 46 > S 41 > S 48 • • • (3) 

We think of £ as M's environment. The idea is to construct a behavior "equivalent 
to" (3) by moving all the M steps together, as in 

E M M M M E E ... 
• • • S 4i > U 42 > U 43 > Uaa > U 45 > U 46 > U 41 > S 48 • • • (4) 

which is then equivalent to the behavior 

E M R E E ... 
■■ ■ S41 > U 42 — > U 46 > U 41 > S 48 • • • (5) 



'in temporal logic, a flexible variable is one whose value can change over time; a rigid variable 
is one whose value is fixed. 

2 As with any form of implementation, this works only if S R allows stuttering steps and 3 
preserves stuttering invariance [8]. 
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R E X E E L L 

S41 > S 42 > S43 >■ S44 > S45 >■ S 46 >■ S47 >■ S 48 

£ _R X £ L E L 

S 4 1 > «42 > S43 > S44 > S 45 > r 46 > S47 > S 48 



E R X L E L E 
S 4 1 > ^42 > S43 > S44 > ^45 > r 46 > ^47 > S 48 



E R X L LEE 
S 4 1 > ^42 > S43 > S44 > ^45 > ^46 > ^47 > S 48 



X 

Figure 1: Constructing (7) from (6). 

of the reduced system. 

To construct behavior (4), we restrict M so that its execution consists of a 
sequence of R steps, followed by an X step, followed by a sequence of L steps. 
We say that an execution of M is in its first phase before X is executed, and in 
its second phase after X is executed. (The terminology comes from the use of 
reduction to prove serializability of the two-phased locking discipline of database 
concurrency control.) Intuitively, M receives information from its environment 
in the first phase, and sends information to its environment in the second phase. 
Behaviors (3) and (4) are then 

R E X E E L L 

■■■ s 41 — > s 42 — > s 43 — > s 44 — > s 45 — > s 46 — > s 47 — > s 48 • • • (6) 

E R X L LEE 

■ ■■ s 4 i — > u 42 — > u 43 — > U44 — > u 45 — > u 46 — > u 47 — > s 48 • • • (7) 

To obtain (7) from (6), we must move R actions to the right and L actions to the 
left. We say that action A right commutes with action B, and B left commutes with 

A B 

A, iff for any states r, s, and t such that r — > s — > t, there exists a state u such 

B A 

that r — > u — > t.li R actions right commute with E actions and L actions left 
commute with E actions, then we can obtain (7) from (6) by commuting actions 
as shown in Figure 1. Observe that, since we don't have to commute the X action, 
U43 = S43 and ^44 = S44. 

Lipton [10] was concerned with pre/postconditions, so he essentially trans- 
formed (6) to (5). Doeppner [6] transformed (6) to (7) and observed that the new 
behavior differs from the original only on states in which the system is in the 
middle of operation M. In our theorems, we use the behavior (7) to construct 
the virtual variables 'v for the behavior (6). The value of 'v in a state s, of (6) is 
defined to be the value of v in a corresponding state v(sj) of (7), where the cor- 
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R E X E E L L 

• • • S41 > S42 > S43 > S44 > S45 > S46 > S47 > S48 • • • 

V / 

• • • S41 ^42 S43 -^-> S44 ^45 n 46 U A1 S 48 ... 

Figure 2: The correspondence v between states of (6) and of (7). 

respondence is shown in Figure 2. For example, v(s4 4 ) = u 4 ^, so the value of IT 
in state s 44 of (6) is the value of v in state u 46 of (7). Observe that R and L steps 
leave IT unchanged, and the X step changes i> the way an M R step changes v (see 
(5)). 

For an action ^4, let — > be the irreflexive transitive closure of — >, so s — > t 
iff there exist states r u r n such that s — > r { — > ■ ■ ■ — > r n — > t. There 
is the following relation between a state s, and its corresponding state v(s,). 

• If (in state Sj) M is not currently being executed — states s 4l and s 48 in 
Figure 2 — then = v(sj). 

• In the first phase (execution of M begun but X not yet executed) — states 

R+ 

S42 and s 43 in Figure 2 — we have v(sj) — > s,. 

• In the second phase (X executed but M not terminated) — states s 44 through 
s 47 in Figure 2 — we have s, t v(s,). (To see that s 45 v(s 45 ), observe 
from Figure 1 that s 45 — r 46 — ^> ^47.) 

Observe also that: 

• M is not currently being executed in a state v(sj). 

The construction of v described by Figure 2 works only if, once the X step 
has occurred, the execution of M eventually terminates. The construction can also 
be made to work if the entire system halts after executing X, as long as we can 
extend the behavior (6) by adding a finite sequence of L actions that complete the 
execution of M. Therefore, in the conclusion of our reduction theorems, we must 
replace (2) with 

S A Q => 3v : □/ aS r (8) 

where Q asserts that, once an X step has occurred, either the execution of M 
eventually terminates or else the entire system halts in a state in which it is possible 
to complete the execution of M. Note that we allow behaviors in which execution 
of M remains forever in its first phase, never taking an X step. 
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4 Safety in TLA 



In TLA, a state is an assignment of values to all flexible variables, and a behavior 
is a sequence of states. An action is a predicate that may contain primed and 

unprimed flexible variables. If A is the action x' = 1 + y, then s — > t is true iff 
the value assigned to x by state t equals 1 plus the value assigned by state s to y. 
The canonical form of the safety 3 part of a specification is Init A □[iV]„, where 
Init is a state predicate (a formula containing only unprimed flexible variables), 
N is an action called the next-state action, v is the tuple of all flexible variables 
occurring in Init and N, and [N] v is an abbreviation for Nv(v' = v). A A behavior 

si, S2, ■ ■ ■ satisfies this formula iff Init is true in the initial state s\ and s j — > s i+[ 
holds for all i — that is, iff Init holds initially and every step is either an TV step or 
a stuttering step (one that leaves all the relevant variables unchanged). 

From now on, we assume that v is the tuple of all flexible variables that 
appear in our formulas. 

The next-state action N is usually written as the disjunction of all the indi- 
vidual atomic actions of the system. For our reduction theorems, N is defined to 
equal Mv E, where M is the disjunction of the atomic actions of the operation be- 
ing reduced, and E is the disjunction of the other system actions. We assume two 
state predicates 1Z and C, where 1Z is true when execution of M is in its first phase 
(M has begun but X has not yet been executed), and C is true when execution 
of M is in its second phase (X has been executed but M has not yet terminated). 
We take Init, M, E, 1Z, and C to be parameters of the theorems. The theorems 
assume the following hypotheses, which assert that 1Z and C are consistent with 
their interpretations as assertions about the progress of M. The hypotheses are 
explained below. 

(a) Init^^Olv C) (c) -■(£ a M A ft') (9) 

(b) E (ft' = ft) A (£' = C) (d) -(ft A C) 

(a) The system starts with M not in the middle of execution. 

(b) Executing an action of the environment cannot change the phase. 

3 Any property is the conjunction of a safety property, which constrains finite behavior, and a 
liveness property. [2] 

4 For any expression e containing no primes, e' is the expression obtained from e by priming 
its flexible variables. 
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(c) Execution of M can't go directly from the second phase to the first phase 
(without completing the execution). 

(d) The two phases are disjoint. This hypothesis is actually unnecessary; given 
predicates ft and C that satisfy the other hypotheses, we can satisfy this 
assumption as well by replacing either ft with ft A —>L or C with C A ->ft. 

We define the actions R, L, and X in terms of M, ft, and C by 

R = M aTZ' L = CaM X = (-.£) a M a (-ft!) (10) 

That is, an R step is an M step that ends in the first phase, an L step is an M step 
that starts in the second phase, and an X step is any other M step. Either phase 
can be empty. Both phases might even be empty, in which case execution of M 
consists of just a single X step. 

A-B 

We define the sequential composition A-B of actions A and B so that s — > t 

A B 

iff there exists a state u for which s — > u — > t. Equivalently, A-B equals 
3 r : A(r/v') a B(r/v), where r is a tuple of rigid variables, A(r/v') denotes A 
with each primed variable of v replaced by the corresponding component of r, 
and B(r/v) denotes B with each unprimed flexible variable of v replaced by the 
corresponding component of r. The equivalence of the two definitions is seen 
by letting r be the tuple of values assigned to the variables in v by the state u. 
The definition of commutativity given above can be restated as: action A right 
commutes with action B, and B left commutes with A, iff A-B =3- B-A. We 
can then state the commutativity hypotheses we used in the previous section as 
R-E => E-R and E-L =>• L-E. 

A + 

We define A + to equal A v (A- A) v (^4-^4-^4) V This defines s — > t 

to have the same meaning as above. A complete execution of M is a sequence 
of M steps starting and ending in states for which M is not in the middle of its 
execution — that is, in states satisfying ->(ftv C). We therefore define: 

M R = ^(ftv C) A M + A^(ftv C)' (11) 
We define N, N R , S, and S R by 

= My E S = Init A 0[N] V (12) 
N R = M R vE S R = Init A D[N R ] V 

Suppose s — > t. If the tuple of variables v has the value v s in state s and the 
value v t in state t, then the relation A(v s /v, v t /v'), obtained by substituting the 
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elements of v s for the unprimed flexible variables of A and the elements of v t for 
the primed variables of A, holds . We constructed the tuple v' of virtual variables by 
defining a mapping v on states of a behavior and defining the value of v' in a state 

s to be the tuple of values of v in the state v(s). This means that, if s — > v(s), 
then the values of v and v' in state s satisfy A(v /v ,^v/v '), which is just A(v/v'). 

If v(s) — > s, then the values of v and i> in state s satisfy A(v/v, v/v'). From the 
four observations above, based on Figure 2, about how s and v(s) are related, we 
obtain the following definition of the relation / between v and IT: 5 

/ = aTZ =>■ R+(v/v, v/v') (13) 
A C =>■ L + (v/v') 
A -.(ft v£) =>■ (u = u) 
A -.(72. vC)(y/v) 

5 Liveness in TLA 

In temporal logic, □ means always and its dual O, defined to equal means 
eventually. Thus, DO means infinitely often and <>□ means eventually forever. 

Let o be the behavior si, s 2 , For a predicate P, formula OOP is true for 

o iff P is true for infinitely many states Sj, and OOP is true for cr iff P is true 
for all states s, with i > n, for some n. For an action ^4, formula D0^4 is true 

A 

for cr iff Sj — > s i+ \ is true for infinitely many i. To maintain invariance under 
stuttering, we must write 00{A} V rather than OOA, where {A) v is defined to 
equal A A (v' ^ v). The formula 00{A) V asserts of a behavior that there are 
infinitely many nonstuttering A steps. 

We define ENABLED A to the be predicate asserting that action A is enabled. 

It is true of a state s iff there exists some state t such that s — > t. Equivalently, 
Enabled A equals 3 r : A(r/v'), where r is a tuple of rigid variables. 

We observed above that the conclusion of a reduction theorem should be (8), 
where Q asserts that either (i) M must eventually terminate after the X step has 
occurred, or (ii) the entire system halts in a state in which execution of a finite 
number of C steps can complete the execution of M. 

To express (i), note that an X step makes C true, and C remains true until M 
terminates. 6 Thus, (i) asserts that C does not remain true forever, an assertion ex- 

5 We let a list of formulas bulleted with A or V denote the conjunction or disjunction of the 
formulas, using indentation to eliminate parentheses. 

6 More precisely, an X step either makes C true or terminates the execution of M. 
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pressed by ->On£, which is equivalent to DO-<£. We can weaken this condition 
by allowing the additional possibility that, infinitely often, it is possible to take a 
sequence of L steps that makes £ false, if such a sequence can lead to only a finite 
number of possible values of v. 

To express (ii), we note that in TLA, halting is described by a behavior that 
ends with an infinite sequence of stuttering steps, so eventual halting is expressed 
by OD[FALSE]^ (which is equivalent to OD|V = v] v ). It is possible to complete 
the execution of M by taking L steps iff a sequence of L steps can make £ false, 
which is true iff it is possible to take an L + step with £ false in the final state. 
Thus, condition (ii) can be expressed as Od([FALSE]„ A ENABLED (L + A ->£')). 

Using the temporal logic tautology OD(F A G) = (OOF A On G), we define 
Qby 

Q = v □<>(-£ v (3!!r : Enabled ((L + a —•£')(r/v')))) (14) 

V OD[FALSE]„ A ODENABLED (L + A -.£') 

where 3 ! ! r : F means that there exists a finite, nonzero number of values for r for 
which F holds. We can now state our first reduction theorem, for specifications S 
that are safety properties. 

Theorem 1 Let Init, 1Z, and £ be state predicates; let E and M be actions; and 
let v be the tuple of all flexible variables that occur free in these predicates and 
actions. Let R, L, S, S R , I, and Q be defined by (10)-(14). If 

1. (a) Init =^ ^(TZ v £) (c) —<(£ A M A W) 
(b) E =>■ (W = 11) A {£' = £) (d) -.(ft A £) 

2. (a) R ■ E E ■ R (b) E ■ L =>■ L ■ E 

then S A Q =^ 3 : □/ A S R , where 'v is a tuple of new variables and^ 
denotes substitution of the variables 'v for the variables v. 

The specifications S and S R are safety properties, so it may appear that we 
are using the liveness property Q to prove that one safety property implies an- 
other. We need Q in general because, even though □/ A S R is necessarily a safety 
property, 3^v : □/ A S R need not be one. Recall that the purpose of a reduction 
theorem is to deduce properties of S by proving properties of S R . For the purpose 
of proving safety properties, we can eliminate Q by adding the hypothesis 

£ Enabled (L + a ->£') (15) 
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which asserts that, after executing X, it is always possible to complete the execu- 
tion of M. Let C(n) be the strongest safety property implied by property n, so n 
is a safety property iff n = C(Tl). (The operator C is a topological closure opera- 
tor [1].) Hypothesis (15) implies C(S A Q) = S. Since C is monotonic (n =>• O 
implies C(U) =>• C(O)), this proves: 

Corollary 2 With the notations and assumptions of Theorem 1, let n be a safety 
property. If £ =>• ENABLED (L + A ->£'), then (31; : □/ A S R ) n implies 

6 Reducing Fairness Conditions 

Most TLA specifications are of the form S A F, where S is as in (12) and F is a 
liveness condition. We would like to extend the conclusion (8) to 

S aF aQ => 3v: D/a^a^ (16) 

where F R is a suitable reduced version of F. The liveness condition F is usu- 
ally expressed as a conjunction of WF (weak fairness) and/or SF (strong fairness) 
formulas, defined by 

WF„CA) = ODEnabled (A) v nO{A) v 
S¥ V (A) = QOEnabled (A) v 

Let's begin by considering the simple case where F equals WF V (A), for some 
action A. (The case F = SF„(^4) is similar.) In this case, F R should equal 
WF„(^4 R ), where A R is the reduced version of action A. Reduction means re- 
placing the given action M by M R ; it's not clear what the reduced version of 
an arbitrary action A should be. There are two cases in which the definition is 
obvious: 

• If A is disjoint from M, then A R = A. 

• IfA includes M, so A = {A A E) v M, then A R = (A A E) v M R . 

We generalize these two cases by taking A R to be (A A E) v Afj, where an Afj 
step consists of a complete execution of M that includes at least one A A M step. 
The formal definition is: 

A 1 ^ = ->(R,v£)aM*-(AaM)-M*a->(R,v£)' (17) 
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where M* stands for [M + ] v . 

From the definition of WF and a little predicate logic, we see that to prove 
(16), it suffices to prove: 



(For SF, we must replace <>□ by OO in (19).) We consider the proofs of (18) and 
(19) separately. 

To prove (18), we must show that if a behavior contains infinitely many ( A) v 
steps, then it contains infinitely many ( A R steps. To simplify this discussion, we 
temporarily drop the angle brackets and subscripts. We must show that infinitely 
many A steps imply infinitely many A R steps. Those infinitely many A steps must 
include (i) infinitely many A A E steps or, (ii) infinitely many A A M steps. We 
consider the two possibilities in turn. 

To show that infinitely many A A E steps imply infinitely many A R steps, it 

suffices to construct the virtual variables so that each A A E step is a A A E step. 
We have already constructed the virtual variables so that each E step is also a 

E step. We must strengthen that construction so an A A E step is also a A A E 
step. Recall that, in Figure 2, the step s 44 — > s 45 of the top behavior is a E step 
because the corresponding step u 46 -> u 41 of the bottom behavior is an E step. 
We must therefore guarantee that if s 44 —> s 45 is an A A E step, then —> u 41 is 
also an A A E step. Recalling the construction of the bottom behavior, shown in 
Figures 1, we see that we can make u 46 -> u 41 an A A E step if R right commutes 
with A aE and L left commutes with A aE. In general, reintroducing brackets and 
subscripts, we can guarantee that infinitely many ( A A E ) v steps imply infinitely 
many {A R )is steps with the additional hypotheses: 

R ■ {A A E) v => (A A E) v ■ R (A A E) v ■ L =>■ L- {A A E) v 

These hypotheses are vacuous if A A E equals FALSE. If A A E equals E, they 
follow from the commutativity conditions we are already assuming. 

Step (ii) in proving (18) is showing that if there are infinitely many A A M 
steps, then there are infinitely many Afj steps. It suffices to guarantee that if one 
of the steps in a complete execution of M is also an A step, then the corresponding 
M R step is an Afj step. Figure 2 shows that an X step corresponds to a M R 

R + 

step because its starting state s satisfies v(s) — > s, its ending state t satisfies 

R+ 

t — > v(t), and M is not in the middle of its execution in states v(s) and v(t). 



S A Q =>■ 3v: □/ A S R A (DO{A) v =>■ DO{A R h) 
DI a ODEnabled (A r )-$ =>• ODEnabled (A) v 



(18) 
(19) 
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If the X step is an A A X step, then it is clear that the corresponding M R step is 
an Af^ step. Suppose that one of the R steps is an A A R step, and let R\ equal 
R* ■ (A A R) ■ R*. The M R step will be an A^ step if the starting state s of the 

X step satisfies v(s) — > s. Figure 1 shows that we can construct v to satisfy 
this condition if we can interchange A A R and E actions — that is, if A A R (as 
well as R) right commutes withji\ Similarly, when one of the L steps is an A A L 
step, we can guarantee that the M R step is an A^ step if A A L (as well as L) left 
commutes with E. Putting the brackets and subscripts in, we see that infinitely 
many {A A M} v steps imply infinitely many A R steps if 

(A A R) v ■ E E ■ (A A R) v E ■ {A A L) v (A A L) v ■ E 

These hypotheses are vacuous if A A M equals FALSE. If A A M equals M, they 
follow from the commutativity conditions we are already assuming. 

The argument we just made assumes that each execution of M terminates. For 
example, a behavior might contain infinitely many A A R steps but no X steps, 
in which case there would be no A^ steps. We need the assumption that if there 
are infinitely many A A M steps, then there are infinitely many X steps. So, we 
replace (18) with 

S A Q A O => 3v: Q/a^a (PO(A) v =>■ DO (A*)?) (20) 

where 0 equals A A DO(A A M) v 00(X) V . 

Finally, we showed only that infinitely many ( A } v steps imply infinitely many 
A R steps, which are not necessarily {A R )^ steps. We need to rule out the degen- 
erate case in which those A R steps are stuttering steps that leave i> unchanged. We 
do this by assuming ((A) V ) R { =3- (v' ^ v). In most cases of interest, M R implies 
v' ^ v. so ({A) V ) R I =3- (v' # v) holds for any A. 

A specification can contain a (possibly infinite) conjunction of fairness prop- 
erties, so we must generalize from a single action A to a collection of actions Ai, 
for % in some set X. The definitions above are generalized to 

Af = (A t A E) v (Adl (21) 
0 = Vi e X : □0(vl i aM) v =>■ DO{X) v 

The theorem whose conclusion is the generalization of (20) is: 

Theorem 3 With the notation and assumptions of Theorem 1, let A { he an action, 
for all i in a finite or countably infinite setX, and let (Ai) 1 ^, Af, and O be defined 
by (17) and (21). If, in addition, 
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2. (c) Vi el : R-{A t AE) v =>■ {A 1 aE) v -R 

(d) Vz e X : (A { A E) v ■ L =>■ L • A E) v 

(e) Vi el : (^4j A ■ E E ■ (A^ A R) v 

(f) Vi el : E ■ {Ai a L) v ^ (A, a L) v ■ E 

(g) VzeJ : 04,)^ (?/^) 

tf*en S A Q A O 3v: D/A^A(VieI: □<>(^>„ =>• nO(A?)?). 

To prove (19) and its analog for SF, it suffices to prove 

/ a Enabled (A R )-$ =>■ Enabled (^4)„ 

This can be done with the following result, which is a simple consequence of the 
definition of /. 

Proposition 4 Let I be defined by (13). For any state predicates V and Q, if 

(a)V^Q (b)QAR=>Q! ( c ) L a Q> ^ Q 
then I A V =>• Q, where^ is defined as in Theorem 1. 

Combining this proposition with the definitions of WF and SF proves the follow- 
ing corollary to Theorem 3. 

Corollary 5 With the notations and assumptions of Theorem 3, if 

3. (a) Vi el : Enabled (A R ) V => Enabled (Ai) v 

(b) V« el : (Enabled (Ai) v ) aR =>• (Enabled (Ai) v )' 

(c) Viel : La (Enabled (Ai) v )' =>• Enabled {A { ) v 

then 

S a (Vi e J : XF v (A t )) a Q a O 

=> 3v : □/ A S R A (Vi e J : XF^Uf)) 

w/z<?r<? XF„(,4j) is either WF v (Ai) or SF v (Ai). 

Hypothesis 3(a) holds automatically for each % such that A { A M equals FALSE 
or M, the two cases that inspired our definition of Af. It is this hypothesis that 
most severely limits the class of actions A { to which we can apply the corollary. 
In applying the theorem or the corollary, we expect the specification's fairness 
properties to imply Q A O. 



13 



7 Proofs 



We now briefly describe how our results are proved; complete proofs will appear 
elsewhere. Theorem 1 follows from Theorem 3 by letting X be the empty set. We 
already observed how Corollary 2 is proved by showing that (15) implies C(S A 
Q) = S, a result that follows directly from the definition of C [1]. Proposition 4 
is proved by a straightforward calculation based on the definitions of / and of the 
+ operator; it easily proves Corollary 5. This leaves Theorem 3. 

In Section 3 we sketched an intuitive proof of (8). Section 6 indicated how we 
can extend that proof to a proof of Theorem 3 for a single fairness condition — that 
is, when X contains a single element. We used hypotheses 2 to commute A A M or 
A A E steps. In the general case, we have the extra difficulty that the hypotheses 
do not allow us simultaneously to commute all the A { steps. When extending 
the construction shown in Figure 1, we must choose a single A, t to commute at 
each step. The choice must be made in such a way that every Ai that is executed 
infinitely often is chosen infinitely often. 

This proof sketch can be turned directly into a semantic proof of Theorem 3. 
The theorem can also be proved using only the rules of TLA, with no semantic 
reasoning. The key idea is to introduce a history variable that gives the value of 
'v when 1Z is true (before X is executed) and a prophecy variable that gives the 
value of 'v when C is true (after X is executed). (History and prophecy variables 
are explained in [1].) In addition, we need a new type of infinite prophecy variable 
that tells which disjunct of Q holds, as well as history and prophecy variables that 
choose, at each point in the construction, which Ai to commute. 

8 Further Remarks 

We often want to use an invariant Inv of the specification S to verify the hy- 
potheses of the theorems. For example, when proving that R right commutes with 
E, we want to consider only states satisfying Inv. With TLA, it isn't necessary 
to weaken the hypotheses to take account of an invariant. Instead, we apply the 
general rule 

Dlnv => (D[A] V = D[Inv A A A Inv%) 

Thus, if S implies Dlnv, then we can replace M and E by Inv A M A Inv' and 
Inv A E A Inv' . 

Many TLA specifications are of the form 3w : S A F, where w is a tuple of 
"internal variables". Since one proves (3 w : SaF) =^ Yl by proving Sa F =3- Yl 
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(renaming variables if necessary), it suffices to reduce S A F. Thus, we can ignore 
existential quantification (hiding) when applying a reduction theorem. 

References 

[1] Martin Abadi and Leslie Lamport. The existence of refinement mappings. 
Theoretical Computer Science, 82(2):253-284, May 1991. 

[2] Bowen Alpern and Fred B. Schneider. Defining liveness. Information Pro- 
cessing Letters, 21(4):181-185, October 1985. 

[3] R. J. R. Back. Refining atomicity in parallel algorithms. Reports on Com- 
puter Science and Mathematics Ser. A, No 57, Swedish University of Abo, 
February 1988. 

[4] Ernie Cohen. Compositional Proofs of Asynchronous Programs. PhD thesis, 
University of Texas at Austin, May 1993. 

[5] Ernie Cohen. A guide to reduction. Technical Report TM-ARH-023816, 
Bellcore, 1993. Available from the author at ernie@bellcore . com. 

[6] Thomas W. Doeppner, Jr. Parallel program correctness through refinement. 
In Fourth Annual ACM Symposium on Principles of Programming Lan- 
guages, pages 155-169. ACM, January 1977. 

[7] David Gries and Ivan Stojmenovic. A note on gramham's convex hull algo- 
rithm. Information Processing Letters, 25(5):323-327, July 1987. 

[8] Leslie Lamport. The temporal logic of actions. ACM Transactions on Pro- 
gramming Languages and Systems, 16(3):872-923, May 1994. 

[9] Leslie Lamport and Fred B. Schneider. Pretending atomicity. Research 
Report 44, Digital Equipment Corporation, Systems Research Center, May 
1989. 

[10] Richard J. Lipton. Reduction: A method of proving properties of parallel 
programs. Communications of the ACM, 18(12):717-721, December 1975. 

[11] S. Owicki and D. Gries. An axiomatic proof technique for parallel programs 
I. Acta Informatica, 6(4) :3 19-340, 1976. 



15 



